Unfortunately there was an Oppo homebrewn secondary PIN on some of their built in apps, which hadn't been reset, but it turned out I could enter the PIN as many times as I wanted, so I made a small script to brute force it via ADB (input text). Took half an hour to disable the secondary PIN with my script.
I should probably have said "cheap phones" - I am not sure. Every ODM/OEM is different.
But it is an interesting discussion for sure and made me think about my experiences. What kind of software engineering department would make a mistake like this? I bet 1 USD that I could spend one hour with their engineers and I would be able to predict if this would be a mistake they would make. :)
After this finding , the data collection incident a month ago, and their last 1Gb+ OTA update that bootlooped my phone, I think I'm done with OnePlus products. I enjoyed the hardware but I can't tolerate this much malice/incompetence in software in something as critical to my daily life.
I'm sure some posters will suggest that this is what we deserve for trusting a Chinese OEM, but I still find it all very sad.
Steal data, brick devices, and leave backdoors: How to lose a customer in three easy steps.
Do like me, if you don't want to trash a OnePlus device: install LineageOS.
I should add, I flashed PA because I bought a really expensive pair of bluetooth headphones (from Sony) that were having really bad connectivity issues that have been mostly resolved by changing roms.
I really wish there was a decent Linux phone I could buy ... anyone know if there are any good contenders or future prospects?
> Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers.
You can now buy a Sony EXperia X and flash it to Sailfish OS.
I am quite happy with Sailfish. Still using it on my Jolla 1 as a daily driver after 3 years.
If you include Android -- I have had a satisfactory experience with both the Samsung Galaxy S6 and LG Nexus 5x. The 5x did bootloop recently but Nexus repaired it (and upgraded to 32GB) beyond the end of their warranty.
Still being developed and not ready for prime time yet.
Android is open, you can run anything on it that you want. Doesn't make it better or worse than iOS.
Everyone needs to make an informed decision about what they want from their phone.
I also have the EngineerMode installed and it's also using data; "61.34mb since 1 Aug".
It's worth noting that the data usage (752kb since Nov 1st) says it also includes other apps, I've listed them below for reference as I've not seen anyone else mention this yet. There's certainly some interesting names.
Content Adaptive Backlight Settings
OnePlus System Service
OnePlus Camera Service
ANT HAL Service
Sensor Test Tool
Looking at the data usage for several of the connected apps (my list is identical to yours as far as I can tell), it looks like the only data they send is as
a subset of engineer mode (their individual data sent isn't shown, only the engineer mode total).
There's definitely some concerning names there. Double checking my recent screenshots, it seems at least that it couldn't be sending full images with as much data as it's used. It's likely that it's not sending data from all of these, but just accessing them at some point. The previous leak on here revealed that OnePlus could track when you opened and closed apps. Based on this, it could potentially track your location, when you take screenshots, when you make phone calls, and a host of other information.
How does LineageOS help security exactly?
Please elaborate though. How is an unlocked bootloader is more secure than than EngineerMode appearing on a phone ? Conclusion #6:
> Encryption is insecure with an unlocked bootloader or an open-access recovery.
If you have LineageOS with TWRP and an unlocked bootloader then it appears you have an insecure device.
1. Unlock bootloader
2. Install aftermarket recovery (CWM or TWRP)
3. Install new ROM (PA)
Assuming you have TWRP installed, LineageOS has instructions for your specific situation (installing from recovery) at: https://wiki.lineageos.org/devices/oneplus3/install#installi...
If you have CWM or something else, it should be relatively easy to translate the instructions to your specific situation. If you have trouble, you can just start from the beginning of that document for instructions to install TWRP instead.
If you want Google Apps (gmail, etc) installed, you'll need to download that from here: http://opengapps.org/ (ARM64, 7.1) and treat that as your "additional packages" for the purposes of those instructions.
Most OEMs should have some sort of downloads available. If that fails, you can generally find a thread on the xda forums that has links to download the stock ROM and other files (though then not directly from the OEM, so there's some element of trust/risk there).
(In your case, it looks like Motorola hosts the G4 images at: http://motorola-global-portal.custhelp.com/app/standalone/bo...)
People throw around the term like it's lost all meaning - usually when someone says they "bricked" their device, they're meaning that "it was moderately inconvenient to recover and I lost my data". Not that it's a literal brick that they now put in the garbage bin.
If you've got recovery, you've got an easy path to getting it up and running again. Just reflash your ROM, a different ROM, a stock ROM, whatever.
If you hose your recovery, you boot your phone into fastboot/odin/heimdall/etc mode which is built into the phone's firmware. From there, you can still flash images to the internal partitions to replace your recovery/system/anything else.
I don't wanna be the guy that doesn't include the "there's always risk" warning on his instructions, but if you're just flashing back and forth between ROMs the worst I'd ever expect you to mess up is wiping your internal storage and photos by accident.
If it has GSM/LTE/CDMA/etc baseband processor with closed implementation, assume it has remote root backdoor. Samsung has already been caught.
osmocombb tried to solve this. That project is essentially dead.
They are proposing to use an external baseband with a USB or UART interface to the main SoC and a kill switch.
I can't really fault 1+ for this debacle -- but this is what happens when OEMs just go along with using these inscrutable blobs of crapware from their upstream vendors.
I only hope Librem can actually pull off their phone. Shipping something fully open in light of findings like this may help to turn the tide.
Edit: I must have remembered wrong or I saw the EngineerMode on the QComm device we developed before our MTK based device. The OnePlus seems to be a QComm device.. :)
This is going to be a fun morning.
Want to know how many times my iPhones have boot looped in the last nine years? Not once ever. My last Android (Nexus 6p) managed to do it several times in the 3-ish months I daily-drove it.
Want to know how long you can expect to get iOS updates with a new hardware purchase? 5+ years. Compared with the very best case for Android: 2 maybe?
How many times with an iPhone have I been expected to install a custom OS to get around a user-hostile feature like I saw about fifty times in the 1 billion outdated androids thread? Zero times.
My girlfriend uses an iPhone; I am consistently blown away by the amount of garbage she's expected to deal with on a regular basis. When she changes to another app, our video chats go dark; there's no Termux or GNURoot equivalent (that I'm aware of); tapping doesn't move the cursor but instead selects words (I think that's it); the mail app is hellaciously bad; she's stuck using Safari and seeing ads. So, so many ads. Ads everywhere. I never see ads on my phone, but on hers the Internet is nothing but ads as far as the eye can see.
The sad fact is that the mobile phone ecosystem in general is full of garbage. Neither Android nor iOS is exempt. But at least with Android I have freedom.
> How many times with an iPhone have I been expected to install a custom OS to get around a user-hostile feature like I saw about fifty times in the 1 billion outdated androids thread? Zero times.
That's because with an iPhone there are no custom OSes and you're stuck with Apple's user-hostile features.
Purify is an ad blocker that works great on the iPhone. Content blockers have been a supported part of iOS for the last couple versions. Apple actually caught a lot of flack from websites for allowing them.
> But at least with Android I have freedom.
Freedom to send all your data to Google? Sure, you can install custom ROMs, but now you're squarely out of any normal user scenario.
> That's because with an iPhone there are no custom OSes and you're stuck with Apple's user-hostile features.
You're considering Apple user hostile when the only way to get around Androids lack of security updates is to go deal with custom ROMs? Apple tends to make the best decision for the largest amount of users. Do they always match up with my decisions? No, but they are close enough, and I don't have to deal with the Android mess when all I want is a working phone.
I was also unimpressed by how difficult it was to get my family member's pictures out of their cloud offering, when asked to do so for relatives.
iCloud also works fine with Apple devices, but can be mostly skipped. Google Photos will happily upload all the pics on the iPhone to Google pictures. The 5GB iCloud is then plenty for iPhone data backups.
>there's no Termux or GNURoot equivalent (that I'm aware of);
Does your girlfrind need a terminal on her phone?
>tapping doesn't move the cursor but instead selects words (I think that's it);
Tab and hold to move the cursor.
>she's stuck using Safari and seeing ads. So, so many ads. Ads everywhere.
Why she doesn't install an Adblocker? It's officially supported directly by the system since a couple of time.
Signal. She has similar issues with other apps. Apparently iOS doesn't support background processes as well as Android.
> Does your girlfrind need a terminal on her phone?
Need? No. But I'd like it.
> Tab and hold to move the cursor.
This is reversed between Android & iOS. For me, at least, I'm far more likely to want to move the cursor than to select a word.
LOL! At the point you expect 99% of phone users to know what Termux or GNURoot are, let alone use them, the argument has already been lost. I have several hundred Android devices for testing and about two dozen iOS devices. It has always struck me that the primary draw to Android is the hackability, but at the same time, it's the greatest weakness in the platform, that and the variability in hardware.
As a Windows Phone user, this is why I'm dreading the day I need to replace my phone and pick a side. It seems like there's no winning in the mobile world.
Unfortunately the camera app is quite a bit worse in my opinion (used it on the OnePlus One, 3T and haven't tested it with my 5). Guess some things are more important at this point..
If you want both root and still full access to these SafetyNet-"protected" apps, you can try the alternative rooting solution Magisk  which specializes on bypassing these (imho arbitrary) restrictions.
I think I remember having this app, along with many other weird ones preinstalled.
Also, does anybody knows why some android phones have some "debug mode" when I plug them via USB? I mean if you think about it, that also sounds like a backdoor.
At that point there are so many critical security flaw coming up every month that I don't really bother anymore.
All of their tech companies owe their entire existence to their respective governments and it's not like the governments set up that environment for them for free.
And it will be really good also to check facts and not yellow press like CNN, BBC and etc and just bullshit Russia.
Trust is a weakness... Never forget it :)
No one will seriously claim the US tech industry has not benefited from the government.
No point singling out specific governments, the NSA is not on your side.
Why? What have you found in proprietary software written in China and Russia?